§ 278g-3. Computer standards program

• (a) Development of standards, guidelines, methods, and techniques for computer systems

  The Institute shall -

  • (1) have the mission of developing standards, guidelines, and associated methods and techniques for computer systems;
  • (2) except as described in paragraph (3) of this subsection (relating to security standards), develop uniform standards and guidelines for Federal computer systems, except those systems excluded by section 2315 of title 10 or section 3502(2) (FOOTNOTE 1) of title 44;

    (FOOTNOTE 1) See References in Text note below.

  • (3) have responsibility within the Federal Government for developing technical, management, physical, and administrative standards and guidelines for the cost-effective security and privacy of sensitive information in Federal computer systems except -
    • (A) those systems excluded by section 2315 of title 10 or section 3502(2) (FOOTNOTE 1) of title 44; and
    • (B) those systems which are protected at all times by procedures established for information which has been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy, the primary purpose of which standards and guidelines shall be to control loss and unauthorized modification or disclosure of sensitive information in such systems and to prevent computer-related fraud and misuse;
  • (4) submit standards and guidelines developed pursuant to paragraphs (2) and (3) of this subsection, along with recommendations as to the extent to which these should be made compulsory and binding, to the Secretary of Commerce for promulgation under section 759(d) of title 40;
  • (5) develop guidelines for use by operators of Federal computer systems that contain sensitive information in training their employees in security awareness and accepted security practice, as required by section 5 of the Computer Security Act of 1987; and
  • (6) develop validation procedures for, and evaluate the effectiveness of, standards and guidelines developed pursuant to paragraphs (1), (2), and (3) of this subsection through research and liaison with other government and private agencies.
• (b) Technical assistance and implementation of standards developed

  In fulfilling subsection (a) of this section, the Institute is authorized -

  • (1) to assist the private sector, upon request, in using and applying the results of the programs and activities under this section;
  • (2) to make recommendations, as appropriate, to the Administrator of General Services on policies and regulations proposed pursuant to section 759(d) of title 40;
  • (3) as requested, to provide to operators of Federal computer systems technical assistance in implementing the standards and guidelines promulgated pursuant to section 759(d) of title 40;
  • (4) to assist, as appropriate, the Office of Personnel Management in developing regulations pertaining to training, as required by section 5 of the Computer Security Act of 1987;
  • (5) to perform research and to conduct studies, as needed, to determine the nature and extent of the vulnerabilities of, and to devise techniques for the cost-effective security and privacy of sensitive information in Federal computer systems; and
  • (6) to coordinate closely with other agencies and offices (including, but not limited to, the Departments of Defense and Energy, the National Security Agency, the General Accounting Office, the Office of Technology Assessment, and the Office of Management and Budget) -
    • (A) to assure maximum use of all existing and planned programs, materials, studies, and reports relating to computer systems security and privacy, in order to avoid unnecessary and costly duplication of effort; and
    • (B) to assure, to the maximum extent feasible, that standards developed pursuant to subsection (a)(3) and (5) of this section are consistent and compatible with standards and procedures developed for the protection of information in Federal computer systems which is authorized under criteria established by Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy.
• (c) Protection of sensitive information

  For the purposes of -

  • (1) developing standards and guidelines for the protection of sensitive information in Federal computer systems under subsections (a)(1) and (a)(3) of this section, and
  • (2) performing research and conducting studies under subsection (b)(5) of this section, the Institute shall draw upon computer system technical security guidelines developed by the National Security Agency to the extent that the Institute determines that such guidelines are consistent with the requirements for protecting sensitive information in Federal computer systems.
• (d) Definitions

  As used in this section -

  • (1) the term "computer system" -
    • (A) means any equipment or interconnected system or subsystems of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception, of data or information; and
    • (B) includes -
      • (i) computers;
      • (ii) ancillary equipment;
      • (iii) software, firmware, and similar procedures;
      • (iv) services, including support services; and
      • (v) related resources as defined by regulations issued by the Administrator for General Services pursuant to section 759 of title 40;
  • (2) the term "Federal computer system" -
    • (A) means a computer system operated by a Federal agency or by a contractor of a Federal agency or other organization that processes information (using a computer system) on behalf of the Federal Government to accomplish a Federal function; and
    • (B) includes automatic data processing equipment as that term is defined in section 759(a)(2) of title 40;
  • (3) the term "operator of a Federal computer system" means a Federal agency, contractor of a Federal agency, or other organization that processes information using a computer system on behalf of the Federal Government to accomplish a Federal function;
  • (4) the term "sensitive information" means any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under section 552a of title 5 (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept secret in the interest of national defense or foreign policy; and
  • (5) the term "Federal agency" has the meaning given such term by section 472(b) of title 40.